Web App Penetration Test (OWASP, Single App)

A focused, manual penetration test of one web application, tested against the OWASP Top 10. I go beyond an automated scanner: authentication and session management, broken access control and IDOR, injection (SQL/NoSQL/command), cross-site scripting, security misconfiguration, sensitive-data exposure, SSRF and the business-logic flaws scanners miss. The work targets your app's real attack surface — login, user roles, payment or booking flows, file uploads and APIs — so you find out where a real attacker would actually get in.

You receive a severity-rated report (Critical/High/Medium/Low with CVSS-style scoring) written for both engineers and management: each finding has a clear proof-of-concept, the affected endpoint, the impact, and step-by-step fix guidance — plus an executive summary suitable for clients, partners or compliance reviews. After your team patches, a free retest of the reported issues is included to confirm the fixes hold. I work with SMEs, startups and free-zone/mainland businesses across Dubai, Abu Dhabi and Sharjah.

This is a fixed-scope, fixed-price test of a single web application. If you need broad VAPT across network, mobile, APIs and multiple systems, that's my separate VAPT gig — this one is the accessible, well-defined option for one web app. All testing is strictly authorized only: I work under a signed scope and rules-of-engagement document covering exactly which app and environment, the test window and the methods allowed, and I never test any system without the owner's written permission.

How it works

1. 1
   Scope + authorize

   Agree the single app, environment and test window; sign scope and rules of engagement

2. 2
   Test + document

   Manual OWASP-based testing of the app, recording each finding with a PoC

3. 3
   Report + retest

   Deliver the severity-rated report, then retest the fixes you ship